An owner of a new restaurant likely would not hesitate to buy a $300 fire extinguisher to comply with local fire codes, but he might put off spending about half that much to ensure compliance with standards designed to protect customers’ credit card data, a new report suggests.
Doug Klotina, executive vice president of payment services and channel partners at Trustwave, a Chicago-based data-security and compliance-service provider, makes that analogy in summing up the key message in his company’s July report “Payment Card Trends and Risks for Small Merchants.”
Though awareness of what the Payment Card Industry Data Security Standard means has improved, the report indicates a need for more knowledge about standard compliance among small merchants, Klotina tells PaymentsSource.
“It is considerably simpler to be compliant than it was a few short years ago,” Klotina says. “And I think it is a positive trend that more people are aware of what PCI is when you mention it.”
The report, compiled from client data Trustwave collected from 2010, pinpoints Level 4 merchants–those processing fewer than 20,000 Visa transactions online annually–and all other retailers processing up to 1 million Visa transactions annually as the most vulnerable to attack by hackers.
“This is organized crime, not just some kid s stealing data,” Klotina says. “They look to identify weaknesses (in the merchant’s payments system) and then go after it, and that’s how small merchants get in trouble.”
In what Trustwave calls a consistent trend, data from 220 breach investigations reveal that food and beverage businesses were the most likely target of an attack, representing 57% of compromised merchants, followed by retail merchants at 18% (see chart). Nearly all compromises occurred with merchants using broadband connections to their payment terminals, the report notes.
Trustwave contends the 80% of small businesses reporting not having in-house information-technology or security staff were justified because of cost and the amount of other work involved. Most small merchants have little or no knowledge on how to configure their networks to ensure their card transactions are protected, the report adds.
“Going back to the restaurant owner who would buy the fire extinguisher without thinking twice, they have to understand it would cost half of that to be PCI compliant,” Klotina says. “But the cost of a breach is far more expensive (than a fire at the restaurant) because it can affect you the rest of your lives.”
The report reveals five key areas in which merchants are falling short in compliance, including not having written security policies and procedures for protecting the card-processing device; a formal security-training program for relevant employees; a log or record of customer credit card numbers in a back-office computer, laptop or financial application; the store or office checked quarterly for unauthorized wireless access points; or quarterly network-vulnerability scans performed.
The fast pace of technology in the payments industry adds to a merchant’s lack of knowledge, but it also presents opportunities, Klotina contends.
“Technology usually advances convenience, and that can have positive effects on a business,” he says. “Security isn’t necessarily in lock-step with technological advancement for small merchants, but the really sharp companies will recognize that PCI security is important and powerful.”
What do you think about this? Send us your feedback.
